Microsoft says security programs are paying off
Company releases progress report on three programs launched a year ago to identify security holes and patch them faster.
One year after launching three security programs designed to improve security industry-wide, Microsoft is finding that more security patches are beating exploits out the door.
Meanwhile, the Microsoft Security Response Center said that of the 50 security bulletins it published from October 2008 to June 2009, patches were released in response to 138 vulnerabilities. Of those, 17 had public exploit code available at the time of the release, and for 67, consistent exploit code was likely to be written, according to the software giant.
The news comes after Microsoft announced on Friday that it would be releasing security updates on Tuesday--outside of its monthly patch cycle--for a critical vulnerability in Internet Explorer and a moderate vulnerability in Visual Studio.
Meanwhile, Microsoft has yet to plug a critical ActiveX hole in Office that it warned two weeks ago attackers were exploiting to take control of PCs by luring Internet Explorer users to malicious Web sites. It was the third zero-day hole announced by Microsoft in less than two months.
In August 2008, the Microsoft Security Response Center announced three security programs to help improve security for customers, partners, and others. The company issued a progress report on Monday in advance of the Black Hat security conferences set to begin on Tuesday in Las Vegas.
Through its Microsoft Active Protections Program (MAPP), Microsoft supplies vulnerability information to 45 partners prior to the monthly Microsoft Patch Tuesday security updates. MAPP partner and network security provider Sourcefire issues protections based on the information for about 95 percent of the monthly Microsoft security bulletins.
Before MAPP, it took about eight hours to reverse-engineer, develop proof-of-concept code, and build the exploit detection for a vulnerability, which is about the time it takes for a savvy attacker to generate exploit code after a vulnerability has been disclosed, Microsoft said.
Now, it takes only about two hours, according to Sourcefire. Sourcefire developers only have to write the detection code because Microsoft provides the rest, meaning that patches are typically released hours ahead of any exploits, Microsoft said.
In estimating how exploitable vulnerabilities are, Microsoft said it has had a 99 percent reliability rate. Of 140 ratings in the Microsoft Exploitability Index, also released last year, there has only been one revision that dropped the severity of the vulnerability, the company said.
For the third program, Microsoft Vulnerability Research (MSVR), Microsoft researchers work to find holes in third-party software. From June 2008 until June 2009 the MSVR team identified software vulnerabilities affecting 32 vendors, Microsoft said.
Of the holes found in the outside software, 86 percent were critical or important and 13 percent have been fixed, while 5 percent are in the process of being resolved, according to Microsoft. The MSVR team and Microsoft security researcher Billy Rios were credited with finding holes recently fixed in the Apple Safari browser.
"We're seeing attacks get more complex," said Mike Reavey, director of the Microsoft Security Response Center. "There's a race between attackers and defenders and collaboration is needed in the industry."
Microsoft is unveiling this week Microsoft Office Visualization Tool, which offers a graphical view of Office binary file formats so programmers can better see where vulnerabilities and malware might be embedded within an Office document.
Microsoft also is announcing Project Quant, an online spreadsheet tool designed to help IT administrators estimate the costs associated with software update management.